WordPress News

WordCamp US 2017 Recap

WordCamp U.S. 2017 Recap – Beating Hackers to the Draw in Nashville

By Adam Warner

After a year of anticipation and planning, SiteLock arrived in Nashville, TN for WordCamp US – ready to ‘beat hackers to the draw!’ We sponsored the event again this year,  allowing us to meet many of the 1,702 attendees from all around the world. There were also 1,182 viewers who live-streamed the event, making the total attendee count a whopping 3,584!

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  WordCamp
WordCamp Seattle 2017 Recap

WordCamp Seattle 2017 – The Emerald City Event

By Adam Warner

This past weekend SiteLock attended WordCamp Seattle as a Gold sponsor. It was a heavily attended event with almost five hundred WordPress designers, developers, and content creators who filled the Washington State Convention Center’s Tahoma space on the third floor.

Our experience as a sponsor was excellent! Organizers did a fantastic job placing all the sponsor tables in the same room as registration and refreshments and we had ample room to interact with attendees and learn more about their businesses and the security needs of their clients.

In addition to chatting with attendees, we really love the content that WordCamps offer and the schedule in Seattle provided some unique talks. Here are a few of our favorites:

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  WordCamp

WordCamp Phoenix 2017 – Feeling Right at Home

By Adam Warner

WordCamp Phoenix has a reputation for being a great event. And lucky for SiteLock, it was close to our headquarters in Scottsdale, allowing more of the SiteLock team to attend than usual, many of them first-time WordCampers!

As someone who works remotely and travels often, this event was especially fruitful for me because it meant I could spend some quality time with our entire team, many of whom I’ve never met in person due to our rapid growth.

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  WordCamp
WordPress Help

Heads Up: WordPress 4.8.3 Security Release

By Jessica Ortega

WordPress released version 4.8.3 today, which includes a critical security patch. WordPress is advising that all versions 4.8.2 and earlier are vulnerable to SQL injection attack, and that all sites using WordPress should be updated immediately.  The vulnerability in question is related to the $wpdb object where $wpdb->prepare() can create queries that allow attackers to inject malicious code into the MySQL database that powers the site. WordPress is reporting that the vulnerability does not impact core application files, but may impact plugins and themes that use WPDB. The security team has added hardening to prevent these add-ons from inadvertently creating the vulnerability.

We are recommending that all WordPress sites be updated immediately. If you have enabled automatic updates, these should complete within the next 24 hours. Additionally, all plugins and themes associated with your WordPress sites should be updated to their latest vendor provided versions. This will help to ensure your site is not compromised.
It is also recommended that you utilize a malware and vulnerability scanner, such as those provided with SiteLock INFINITY to prevent infections on your site.

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  WordPress security

SiteLock Digital Kids Fund Campaign 2017

By SiteLock

‘Tis the season to give back, and at SiteLock we are extremely passionate about giving back to the communities where we live and work. We are especially dedicated to supporting STEM (Science, Technology, Engineering and Math) programs for schools in need, and helping to inspire the next generation of technology innovators and pioneers!

According to the U.S. Department of Commerce, in the last decade employment in STEM jobs has grown 24.4%, making it vital that children in school today have access to the necessary tools to keep up with and continue growth in this field.  However, most states provide less support per student for elementary and secondary schools than before the Great Recession. In an effort to bring continued awareness to this ongoing issue, SiteLock established a Digital Kids Fund in 2015 to help fund technology-based projects at local schools in Arizona. For every SiteLock product purchased by WordPress customers, SiteLock donates $1 to the fund.

In 2016, SiteLock partnered with DonorsChoose.org, an organization that makes it easy for anyone to help a classroom in need, to fund STEM-related projects in schools in the Phoenix, Arizona and Jacksonville, Florida areas. Through their donation, SiteLock was able to support 198 projects benefitting 19,992 students at 141 schools.

This year, SiteLock has once again joined forces with DonorsChoose.org to fund STEM projects for schools in the Phoenix and Jacksonville areas. To help drive additional advocacy and internal support, SiteLock is allocating additional funds to employees so they can individually choose a STEM-related project to fund.

At SiteLock we are reminded every day of the importance technology plays in our lives and work. Unfortunately, kids go to school every day without the necessary tools to be successful. Through our partnership with DonorsChoose.org and the Digital Kids Fund, we are excited to play our part in helping inspire the next generation of technology experts in our local communities.

As we enter the season of giving, here are some ways you can help too!

  • Share this post
  • Donate to one of the SiteLock match donation programs
  • Donate to projects of your choice at DonorsChoose.org

 

 

 

$1 of the purchase price from the sale of every SiteLock product purchased by WordPress customers from 10/1/17-10/1/18 will be donated to the fund* to support classroom projects on DonorsChoose.org.
*Up to $50,000 annually. This contribution is not tax deductible by purchasers and sales must be made through SiteLock.com or a SiteLock representative.
Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  Giving Back
History of WordPress Plugins

A Short History of the WordPress Plugin

By Adam Warner

WordPress plugins allow users to completely customize their website features and experience for visitors, and  also serve as a mainstay of the WordPress experience. It’s safe to say that without them, WordPress wouldn’t have grown to power over 28% of the internet. But did you know that WordPress used to exist without plugins? In this post, I’ll give you a short history of when and why plugins came to be and what the future holds for WordPress because of them.

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  WordPress Benefits
WordCamp Portland 2017 Recap

WordCamp Portland 2017 – Not Weird at All

By Adam Warner

The SiteLock team recently traveled to Oregon for WordCamp Portland where we had a sponsor table and met  many (if not most) of the attendees. It was a busy camp morning for me because I also presented a session titled “5 Steps to Personal and Website Security“. I’m happy to report that my session was received very well among the WordCampers.

The Sponsor Experience

First and foremost, I want to give a shout-out to the #WCPDX organizers. They did an excellent job ensuring the sponsor tables were placed in a room that received steady traffic. The tables were set up between the session rooms, also conveniently located next to the coffee, water, and other refreshments.

The Talks

As with most WordCamps, the session topics were relevant to all types of WordPress users, and the session times were 35 minutes, plus 10 minutes at the end for Q&A. However, there were also lightning talks of 10-15 minutes, which were informative and entertaining.

Ethan Clevenger’s lightning talk discussed how to succeed as a freelancer, and in particular, the reasoning behind raising your prices and how to avoid the fear of making less money. Not only did his talk give valid advice on increasing your revenue while reducing your need to “constantly chase new clients,” but Ethan was also pretty hilarious in the delivery of his content.

In Praise of the Side Project: Learn New Skills, Make Money, and Have Fun.

Rachel Cherry is a Senior Software Engineer at The Walt Disney Company and delivered a unique and inspiring talk to those in attendance. She showed proof that side projects can lead to bigger things like Apple, Twitter, and even Gmail. The point she made though, was that they don’t always have to, sometimes side projects can simply be for testing the waters. This could include learning a new software package, drafting a blog about your favorite food to improve your writing skills, or building websites to razz your friends (#hiroy). Judging by the comments after, her talk made those in attendance feel at ease and less worried about their half-done projects.

Automating Your Workflow

Andrew Taylor’s talk about automation was great. Specifically, automating as much of your daily workflow as possible in order to put processes in place that you can rely on. This also allows you to be more productive. Even though it was a lightning talk, he packed in both the philosophy behind continuous integration and some actual methods he uses in his day-to-day routine.

Don’t Waste Your Content: Repurpose and Keep It Alive

Bob Dunn, more commonly known as BobWP online, delivered a great talk on why and how to repurpose any content you’ve created. He’s been blogging for ten years and produces three successful podcasts. How does he do it? You guessed it, repurposing content in order to save time and meet the needs of his different audiences.

A Little Fun and Frustration with Our Raffle

We always try to do something a little special at WordCamps, in addition to giving out webcam covers and t-shirts. In Portland, we raffled off an Amazon gift card, which was a fun experience. When reading the winning ticket numbers, we had to go through A LOT of them before we finally had a winner. It actually turned out to be pretty entertaining and helped build anticipation.

By all accounts, WordCamp Portland was a great event and one I know we’ll be back to next year. If you weren’t able to attend and you’d like to know more about SiteLock, I encourage you to read more about our company and products, like malware scanning and auto-removal, as well as our web application firewall options.

See you next year!

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  WordCamp
Case study-Hyannis whale watchers

How SiteLock Saved a Whale Watchers Website [Case Study]

By SiteLock

Company Overview

Hyannis Whale Watcher Cruises is dedicated to providing ‘Cape Cod’s Finest Whale Watching!’ Established in 1989, the company brings more than thirty years of experience to whale watching, with an impressive sighting rate of 99 percent. As the company’s popularity grew, its website was forced to expand from an initial online brochure to a comprehensive resource including whale watching information, trip scheduling and online ticket purchasing. These changes also greatly increased customer reach both nationally and internationally.

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  SiteLock Reviews, WordPress security
threat intercept

Threat Intercept: SiteLock Discovers XSS Vulnerability in WooCommerce Extension

By Ramuel Gall
This article was co-authored by Product Evangelist Logan Kipp.

THREAT SUMMARY

Low Threat
WordPress Website Security Threat Level
Learn More

Category: XSS – Reflected

Trend Identified: 7/25/2017

CVE ID: N/A

Threat Name: N/A

Vector: Browser/Javascript

The threat rating was determined using the following metrics:

Complexity:

MEDIUM: While initial exploitation is low complexity, weaponization requires action from the victim.

Confidentiality Impact:

MEDIUM: Successful exploitation of this vulnerability could potentially hijack individual browser sessions.

Integrity Impact:

MEDIUM: Successful exploitation of this vulnerability could potentially hijack individual browser sessions.

What is it?

SiteLock recently found a reflected cross-site scripting (XSS) vulnerability in the WooCommerce “Product Vendors” plugin for WordPress. Reflected XSS vulnerabilities differ from persistent XSS in that each attack is completed in the duration of a single session, rather than permanently modifying the impact site. According to the Open Web Application Security Project (http://www.owasp.org):

The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

 

Who is impacted?

Websites running the WooCommerce “Product Vendors” plugin versions 2.0.35 and older are vulnerable to this exploit. Fortunately, Automattic (WooCommerce’s parent company) patched the vulnerability almost immediately after being contacted by SiteLock. Unfortunately, many site owners do not update their plugins frequently, or at all. If you use Product Vendors for WooCommerce, make sure that you are running the most recent version (v2.0.38 at the time of writing).

 

How was it found?

Our automated scanner alerted us to an XSS vulnerability on a customer’s website, which we determined was due to the WooCommerce “Product Vendors” plugin. What was unusual in this case is that the vulnerable plugin was, at the time, the most recent version, so no patches were yet available for the vulnerability. We immediately contacted Automattic concerning our findings in following our Responsible Disclosure Policy, provided all relevant information on the vulnerability, and coordinated this disclosure.

 

Remediation Steps

The simplest way to fix this vulnerability is to update the plugin to the newest version, which was patched less than a week after the vulnerability was reported. Fortunately for SiteLock TrueShield customers, emergency policy updates were pushed to protect against this vulnerability as soon as it was discovered. However, we still recommend updating WooCommerce Product Vendors to the latest version.

 

Technical details

Overview

WooCommerce Product Vendors is a WordPress plugin which allows eCommerce sites to create a marketplace with multiple vendors, taking commissions from each vendor’s sales. The XSS vulnerability was found in the Vendor Signup form, which can be placed anywhere on the site.

 

Cause

This version of the plugin has a reflected XSS vulnerability because the $_POST parameter for vendor_description, which allows vendors to insert a description of their company, is not properly escaped, allowing arbitrary JavaScript to be executed in a visitor’s browser.

 

Reproduction Steps

In this case, the issue was reproduced using the below cURL request, and verified when the output showed the unaltered script.

Exploitability

$_POST parameter XSS vulnerabilities are often underestimated because it’s not possible to exploit them by directly sending a victim to the vulnerable URL. This difficulty is easily circumvented by first directing the victim to an attacker-controlled form that uses JavaScript to submit itself. As $_POST parameters are not directly visible in the URL, this also hides any suspicious parameters that would appear in a $_GET exploit. Additionally, as $_POST requests do not have the same character limit as $_GET requests, a larger payload can be delivered.

Note: It is also possible to craft a data:// URL that includes a self-submitting form, negating the need for the attacker to control another site. However, many browsers impose a length limit on data URLs, and data URLs are unusual enough to elicit suspicion in a potential victim.

 

Impact

As with all reflected XSS vulnerabilities, the impact depends on the ingenuity of the attacker. Reflected XSS allows an attacker to take control of the victim’s browser for as long as the tab is open on the vulnerable site, and victims are far more likely to leave a tab open on a site that appears to be legitimate. Stealing credentials, hijacking sessions, or exfiltrating payment information entered on the vulnerable site may also be possible, depending on the site’s configuration and the security measures in place.

 

Remediation

If updating to the latest version is not possible, this vulnerability can also be patched by escaping the $_POST[‘vendor_description’] parameter on line 61 of wp-content/plugins/woocommerce-product-vendors/templates/shortcode-registration-form.php using the esc_attr() WordPress function.

 

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  WordPress security
WordCamp Denver 2017

WordCamp Denver 2017 – WordPress Knowledge Stacked a Mile High

By Adam Warner

Last week we found ourselves in Denver, CO for another amazing WordCamp. We sponsored the event as part of our global sponsorship program, which also included table space that gave us ample opportunity to meet existing SiteLock customers and explain our website security services to those new to the WordPress community.

Tags:   WordPress blog, WordPress security blog, WordCamps, WordPress news, WordPress hacks
Categories:  WordCamp